Http-01 fails with connection error?

stubenhocker · February 17, 2023, 5:42pm

I am not sure If this is the right place to ask however I try. Feel free to delete this post if I posted on the wrong place. I set up a gitea server and can't get a let's encrypt certificate but I am not sure if this might be a network/connection problem or a misconfiguration of gitea. I think gitea utalizes a certbot on its boot process in order to get a let's encrypt certificate. However this fails (see log below).

The http-01 challenge failed but the host is reachable via http on port 80 from external? Is there a way to debug this issue?

My domain is: git.stubenhocker.tech

I ran this command:
GITEA_WORK_DIR=/mnt/data/gitea/ /usr/local/bin/gitea web -c /etc/gitea/app.ini

It produced this output:

1.6766548312522943e+09  info    maintenance     started background certificate maintenance      {"cache": "0xc000147570"}
1.6766548312532663e+09  info    obtain  acquiring lock  {"identifier": "git.stubenhocker.tech"}
1.676654831260435e+09   info    obtain  lock acquired   {"identifier": "git.stubenhocker.tech"}
1.6766548312608883e+09  info    obtain  obtaining certificate   {"identifier": "git.stubenhocker.tech"}
1.6766548312946668e+09  info    waiting on internal rate limiter        {"identifiers": ["git.stubenhocker.tech"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "alpha@anonymous.digital"}
1.6766548312947736e+09  info    done waiting on internal rate limiter   {"identifiers": ["git.stubenhocker.tech"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "alpha@anonymous.digital"}
1.6766548323967907e+09  info    acme_client     trying to solve challenge       {"identifier": "git.stubenhocker.tech", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
1.6766548329715614e+09  error   acme_client     challenge failed        {"identifier": "git.stubenhocker.tech", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "82.197.161.171: Fetching http://git.stubenhocker.tech/.well-known/acme-challenge/6VZUk0mYa9l9TwDo0uvkMkPyTMLrzMSqO4QMg6WrwtM: Connection refused", "instance": "", "subproblems": []}}
1.6766548329718156e+09  error   acme_client     validating authorization        {"identifier": "git.stubenhocker.tech", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "82.197.161.171: Fetching http://git.stubenhocker.tech/.well-known/acme-challenge/6VZUk0mYa9l9TwDo0uvkMkPyTMLrzMSqO4QMg6WrwtM: Connection refused", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/968237346/165349594476", "attempt": 1, "max_attempts": 3}
1.6766548343264039e+09  info    acme_client     trying to solve challenge       {"identifier": "git.stubenhocker.tech", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}
1.6766548353137372e+09  error   acme_client     challenge failed        {"identifier": "git.stubenhocker.tech", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "82.197.161.171: Connection refused", "instance": "", "subproblems": []}}
1.6766548353140833e+09  error   acme_client     validating authorization        {"identifier": "git.stubenhocker.tech", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "82.197.161.171: Connection refused", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/968237346/165349598436", "attempt": 2, "max_attempts": 3}
1.6766548353144171e+09  error   obtain  could not get certificate from issuer   {"identifier": "git.stubenhocker.tech", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 400 urn:ietf:params:acme:error:connection - 82.197.161.171: Connection refused"}
1.676654835314611e+09   info    obtain  releasing lock  {"identifier": "git.stubenhocker.tech"}

My web server is (include version):
gitea 1.18.3 (https://gitea.com/)

The operating system my web server runs on is (include version):
Debian 11

My hosting provider, if applicable, is:
Self hosted

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): None

Bruce5051 · February 17, 2023, 5:48pm

Hello @stubenhocker, welcome to the Let's Encrypt community.

Have you tried Let's Debug?

Bruce5051 · February 17, 2023, 5:58pm

Also here is a list of issued certificates crt.sh | stubenhocker.tech, the latest being 2023-02-15 for git.stubenhocker.tech

stubenhocker · February 17, 2023, 6:01pm

Thanks @Bruce5051
I didn't kow that such a tool exists. However it says that at least the http-01 challange should be possible since the connection to the webserver can be made.

Thats odd, according to my logs I never got a certificate. It seems like the gitea software I use does silly things...

Bruce5051 · February 17, 2023, 6:06pm

Hi @stubenhocker,

You might want to look to forums for gitea

Osiris · February 17, 2023, 6:44pm

Well, currently it says something else entirely:

ANotWorking

ERROR

git.stubenhocker.tech has an A (IPv4) record (82.197.161.171) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get "http://git.stubenhocker.tech/.well-known/acme-challenge/letsdebug-test": dial tcp 82.197.161.171:80: connect: connection refused

Trace:
@0ms: Making a request to http://git.stubenhocker.tech/.well-known/acme-challenge/letsdebug-test (using initial IP 82.197.161.171)
@0ms: Dialing 82.197.161.171
@101ms: Experienced error: dial tcp 82.197.161.171:80: connect: connection refused

IssueFromLetsEncrypt

ERROR

A test authorization for git.stubenhocker.tech to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

82.197.161.171: Fetching http://git.stubenhocker.tech/.well-known/acme-challenge/JpeZ5vi7Ijm1f3dQU6gQe_PI5-jGbOEWRq3j3O6V2Sk: Connection refused

From my location I see the same: connection refused.

Is the IP address correct?

stubenhocker · February 17, 2023, 6:58pm

@Osiris Yeah, I gave up with the certbot integration of gitea and used an nginx reverse proxy instead.
Everything works fine for now. Thanks anyone!

Osiris · February 17, 2023, 7:22pm

How do you mean 'certbot integration'? I'm not aware Gitea uses Certbot internally. According to the Gitea source, it uses the certmagic from Caddy (gitea/web_acme.go at e7ef94e00f1319e5fb876f47fee28728bd671f07 · go-gitea/gitea · GitHub).

system · March 19, 2023, 7:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.